[gin-auth] Are we done ?
Dane Skow
skow at mcs.anl.gov
Thu Nov 9 16:58:06 CST 2006
In reviewing the status of this group for others recently, I've been
pondering where we are and what next for interoperation in
authorization/authentication infrastructure. The slides presented at
GGF18 are available at http://forge.gridforum.org/sf/tracker/do/
viewArtifact/projects.gin/tracker.draftplans2006/artf5584?
nav=1&selectedTab=attachments
I'd like to see what this group thinks regards what we should be
doing next.
We defined Phase 1 GIN interoperation as the following agreements:
1) RFC 3820 proxies would be the identity/authentication vehicles for
interoperation.
2) VOMS proxy extensions would be the common denominator for
conveying authorization attributes.
3) IGTF CA accreditation would establish the common set of sources of
certificates.
4) Delegation would be supported by GSI delegation for pre-WS GRAM/
GridFTP. A common WS-Delegation would be supported for WS interfaces.
5) We established a naming conventions for VOs and established a
bootstrap VOMS service for newcomers to test interoperation.
In my opinion, I see the following status:
1) has been accomplished. I'm not sure all proxies in use these days
are RFC 3820 compliant, but the move is clearly that way and most
code properly handles the earlier versions so interoperation hasn't
been a problem.
2) has been used effectively by multiple grids and the specification
of the extensions has been documented (has that spec been published
actually ?). The use of attributes to date as far as I know, has been
to map a single individual in different roles to different execution
environments (e.g. accounts) from a pre-loaded map. Dynamic mapping
of groups (without requiring pre-registration) has not been deployed
in practice yet, but there are no technical obstacles.
3) What problems there have been in recognition of credentials have
been in cases where the credentials come from a non-IGTF CA. There is
interest in other groups of certificate authorities, but none
pressing for production grid use a this time, in this community.
4) seems to be working well enough for the pre-WS GRAM and GridFTP
interoperation to date. It is not clear to me there is a consensus
yet on the WS delegation definition/implementation. Perhaps we should
run a survey/test here as the deployment and use of WS services grows.
5) the bootstrap service is operational and has been useful for
testing and getting started. I don't believe the naming convention
agreement has had any impact on the production VOs, but there does
not appear to yet be any problem with name collisions in production.
Looking forward, are there other things that we should be pursuing at
this time ? I think it appropriate for GIN groups to restrict
themselves to issues that are current or imminent interoperation
issues and targetted at production services (lest we end up creating
yet another design group).
The mailing list has been rather quiet lately and I confess that I've
been consistently distracted by my "day job" as well. If there were
someone interested in stepping forward to lead an agenda for a Phase
II, then I would be glad to pass the baton. Alternately, we could
declare our work done for this phase and go dormant pending needs for
resurrecting in a later phase. The list has value as a communications
channel among specialists in the area across the grids, so I would
not advocate shutting down the list even should we decide that the
charge of the group has been accomplished.
What do folks think ?
Dane
More information about the gin-auth
mailing list